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[57] ABSTRACT 

The invention relates to a system for securing protected 
software against unauthorized, i.e. non-licensed, use in 
computer networks. The difficulty in licensing of software in 
a network is that simultaneous and multi-use of the licensed 
software on several or all computers integrated in the 
network have to be realized. Without software protection the 
software producer will lose potential customers. This con- 
cerns local networks as well as so-called wide area networks 
which can be operated across national or continental bound- 
aries. In accordance with the invention the object is accom- 
plished by a system for securing protected software against 
unauthorized use in computer networks consisting of a query 
component, a management component and an authorization 
component whereby the query component communicates 
with the management component in a bidirectional exchange 
of information and the management component communi- 
cates with the authorization component in a bidirectional 
exchange of information, wherein the authorization compo- 
nent is a module or licence box having a unique identifica- 
tion code and is separate, independent of any computer in 
the network and integrable into the computer network in any 
way. 

15 Claims, 3 Drawing Sheets 
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SYSTEM FOR SECURING PROTECTED 
SOFTWARE FROM UNAUTHORIZED USE IN 
COMPUTER NETWORKS 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The invention relates to a system for securing protected 
software from unauthorized, i.e. unlicensed, use in computer 
networks, e.g. networks of UNIX workstations. 

With increasingly widespread use of computer networks, 
there is a growing need to protect software producers from 
unauthorized use, within computer networks, of the software 
programs which they produce. In recent times, increasing 
importance has been attached to computer networks con- 
sisting of several interconnected work stations each having 
its own processor capacities, one or several processors, and 
which allow simultaneous operation of the same software at 
several work locations. This implies the possibility that a 
computer program, which is working on at least one com- 
puter integrated into a network, can be used simultaneously 
on several computers, on several processors and in multi- 
tasking operation on one processor, because without the 
possibility of simultaneous multi-use, all customers would 
have to purchase several copies of the program. 

The problem of licensing software on a network consists 
therefore in allowing usage and protection for licensed 
software in a simultaneous multi-user environment on 
several, or all, computers integrated into the network. With- 
out software protection, multi-use will lead to the software 
producer losing potential customers. This is the case for 
local networks as well as for so-called wide area networks 
which can be operated across national or continental bound- 
aries. 

At the same time, it is also very useful for the customer 
if the number of software licenses to be bought is dependent 
upon actual user requirements for the software and not on 
the number of computers provided for that use. 

It is therefore in the interests of the software producer and 
also of the customer to provide for effective protection of 
licensed software in a network but which at the same time 
does not hinder users in the authorized, flexible use of the 
software purchased. 

2. Description of the Prior Art 

Systems used until now for protecting software are based 
on two fundamental principles. These are, on the one hand, 
PC orientated hardlocks, also known as dongles, which are 
normally connected to the computer's parallel interface. A 
dongle normally uses a hardware key to authorise the use of 
a program on a computer to which the dongle is physically 
connected. 

Examples of a dongle are to be found in WO 91/15816, 
WO 94/06071 and EP 183 608. 

The disadvantages of such a system are that the dongle 
must be connected to the computer upon which the software 
is to be used. If a licence is to be used on another computer, 
it is necessary to transfer the dongle. When using several 
software programs, each of which is protected by a dongle, 
the number of dongles becomes a hinderance because the 
necessary arranging of the different dongles, one after the 
other, becomes a technical impediment whilst at the same 
time decreasing operational security, which can lead to 
computer crashes and hardware damage. Such a dongle is 
not suitable for use in computer networks since neither the 
number of simultaneously operating software programs can 
be monitored, nor the licensing of software programs on 
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other computers is possible. Multi-user licenses and licenses 
on different platforms, such as personal computers and 
UNIX workstations cannot be managed. 
At the same time it is a guarantee deficiency associated 

5 therewith that upon logging onto a PC in a network via an 
external terminal, e.g via WINDD from Tektronix Co., 
uncontrolled multi-use of protected software is possible. 

The second possibility for software protection comprises 
the use of a so-called licence manager in computer networks 

10 which represents a program installed on one computer in a 
network. This program monitors the use of a given number 
of licenses for protected programs running cither on the 
same computer or on a different computer of the same 
network. Authorisation for usage of the program is based on 

15 definite identification of each computer by means of its 
so-called host-ID or its network address. 

Examples of licence managers such as these are the 
Flexlm from Highland Software and Netls from Hewlett 
Packard and is also disclosed in the Japanese patent appli- 

20 cation 6-223040. 

The disadvantages of a so-called licence manager, which 
is installed on one computer in a network, are that the 
monitoring of the licenced programs is tied to one or several 

25 specific computers in a network, the licencing being 
dependent, therefore, on at least one specific computer. If 
this computer ceases to function, either through defect or by 
its removal from the network, e.g because of aging or 
necessary repairs, this results in no further work being 

30 possible with the licensed software programs on all other 
computers in the network. It is also impossible to transfer 
existing licenses from one network to another. In this case it 
is necessary to contractually agree to a costly re-licensing. 
Furthermore, this transferring of the licence does not prevent 

35 the licensee from illegally continuing to use the previous 
licence on the old computer. 

SUMMARY OF THE INVENTION 

Therefore it is the object of the invention to develop 

40 software protection for use in computer networks, consisting 
of at least one computer, which corresponds to the require- 
ments and interests of the licenser and which, at the same 
time, does not prevent the authorized use of the software 
purchased. The software protection should be independent 

45 of a specific computer in a network and be applicable on any 
computer networks. 

In accordance with the invention the object is accom- 
plished by a system for securing protected software against 
unauthorized use in computer networks consisting of a query 

50 component, a management component and an authorization 
component whereby the query component communicates 
with the management component in a bidirectional exchange 
of information and the management component communi- 
cates with the authorization component in a bidirectional 

55 exchange of information, characterised in that the authori- 
zation component is a module having a unique identification 
code and is separate, independent of any computer in the 
network and integrable into the computer network in any 
way. 

60 This module licence box, with its own identification code 
and integrated into the network independent of any network 
computer, gives a level of software protection which allows 
the allocation and monitoring of network-wide floating 
licenses independent of any hardware platform and inde- 

65 pendent of specific computers which may be subject to aging 
and defects and thus its removal. In this specification the 
term "module" is meant in the sense of a "licence box" 
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which is an independent hardware unit and which is not The management component includes software for man- 
integrated in or part of a computer. The advantage of this is aging the protected software, which can be either loaded or 
that all computers in the network can be interchanged as installed on any computer in the network, as required, or is 
required whilst making possible the continued licensed integrated into the module. 

usage of software in the licensed numbers on any desired 5 The individual components of the software protection 

computer in the network. The licenses are thus readily system exchange information with each other in a bidirec- 

transferable to any other computer network as required, lional manner, i.e. the query component communicates with 

simply by removing the module from one computer network thc management component and this, in turn, communicates 

and integrating it into another network. Further simulta- wilh thc authorization component. This information 

neous use of the software in the old network is not possible. 10 exchange is carried out, preferrably, with the aid of coded 

It is thus no longer necessary to remove the computer from protocols. Storing of thc information in the module, prefer- 

the previous network and integrate it into the new network. aD i y a programmable electronic unit such as a CMOS- 

If a specific computer is removed from the network or is storage device, is also carried out with the aid of a coded 

defective, the licensed software can still be used without protocol. 

restriction on other computers in the network. It is thus 15 £ach module b ^ ^ , uni ^ ; e R0 mher 

unnecessary to carry out a re-l.cens.ng, wh.ch * costly and module has ^ idenlica| ^ ^ raanagement exponent 

offers only a limited or poor software protect.on as .1 was ^ abl ^ tbe M of installed of loaded , icence ^ 

previously necessary with the computer which had been mcm softwarc (0 idcmif and ^ identificat f on 

programmed by the licence manager and equipped with the ^ , f , ic6nsed ft ^ 

is called on any network 

identification code. 20 computcr which ^ pr0 vided with the system according to the 

The module or licence box represents an independent host invention, its query component will establish a connection 

in the network and provides a unique identification code with the nearest management component. The management 

across the network. The identification code can be either a component then establishes a connection to the authorization 

host ID, its network address or another unique password, component to obtain the necessary information, i.e. the 

By using this identification code and licence information, 25 identification code, the licence information and the licensing 

the licenser designs a unique licensing code for the software code for permitting or blocking the usage of the software. If 

to be protected. Modifications of the licenses can only be the necessary information is made available by the module, 

made by the licenser by modifying the licensing code. i.e. if the management component identifies, for example, 

The user requires the identification code, licence infor- the module's host ID, and if the licence information corre- 

mation and the licensing code for authorization of the use of 30 sponds with the licensing code, the use of the software will 

the protected software. be permitted for the requesting computer. If there is no 

This licence information should include the licenser(s), correspondence between the information and the informa- 

the name and version of the license(s), the number of tion in the management component, i.e authorized use of the 

licenses as well as the begin and end dates of the licensing 35 software is not identified, the use of the software will not be 

period. Further or other licence information can be stored for permitted. 

call up as required. The computer network can be a local network as well as 

In a preferred embodiment the module is provided with all a wide area network. The module can be removably inte- 

information necessary to authorise the usage of the licensed grated at any place into the computer network with the aid 

software, this information being made up of the identifica- 40 of the corresponding conventional network connections, 

tion code, the licensing code and the licensing information. These network connections are, for example, network cables 

In another preferred embodiment, the authorization com- wil " suitable pin/plug connections. The module, which also 

ponent consists of the module and a file which can be loaded can be referred to as a licence box is a separate hardware 

or installed on any computer in the network as required, or component, preferably an electronic component which is 

which can be stored in readable form by the computer in any 45 independent of the computers in the network, 
other manner. The file contains either the licensing code or 

the licence information, or both, i.e. licensing code and BRIEF DESCRIPTION OF THE DRAWINGS 

licence information with the module including, in each case invention will now be described by way of examples 

the informalion which is still missing, but in every case of embodiments taken in conjunction with the accompany- 

includes the identification code. 50 j n g drawings. 

By storing of a new licensing code and new licence FIG. 1 shows a diagrammatic representation of a com- 

information completely new licenses for other software of puter network wjth inl ttted module . 

the same licenser or another licenser as well as modifications - . _ _ . ... 

. „ ■ f ■ _ i_ • , I ICj. 2 shows a now diagram of the authorization process 

to existing licenses can be input, ^ errait 

Storing the information necessary for authorization in the 55 a " P ernilt " 

authorization component has the advantage that several FIG. 3 shows a flow diagram of the authorization process 

different licenses which may originate also from different and P ermit m accordance with a further embodiment of the 

licensers can be stored simultaneously and can be permitted invention. 

upon demand for authorized use. It is of no significance on ncorDiimnM nn tuc c^nnnixjcM-rc 

which computer in the network the licensed software is to be 60 DESCRIPTION OF THE EMBODIMENTS 

used. The use is only restricted by the number of users FIG. 1 shows a diagrammatic representation of a com- 

allowed by a license. That means for example, if ten licenses puter network consisting of nine computers Rl to R9 in 

have been granted for a particular software program for the total. One network computer, in this case Rl, has licence 

network, these ten licenses are permitted for simultaneous management software 12 installed or loaded, which 

use, as required, independent of computer, whilst any 65 exchanges information with computers Rl to R9 as well as 

requests above this number will be rejected. This is the with a module 10 integrated in the computer network 1. 

responsibility of the management component. Software 12 could be loaded or installed in any of the 
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network computers Rl to R9, or could be integrated into Licensing code or the licence information could be stored in 

module 10 itself, and the use of licensed software Lra (m is module 10 instead of in file 14. 

a whole number and represents the number of licenses of a Whilst each module is already provided with a unique 
protected software program in a network). Software 12 is identification code which is different from that of every other 
supplied to the licensee with the licence of the licensed 5 module, the other Licence -related information can be modi- 
software Lm. The licence can be configured different for fied at any time in the licensing code as desired. This is 
different types of licenses, e.g. floating licence or a license established by the licenser or his authorized vendor provid- 
ed to a host. The licensed software Lm includes a query mg a new licensing code. Thus the number of licenses, the 
component which addresses the software 12 and the soft- licence name, and the version of the licence can be updated 
ware 12 establishes the further connection to the module 10 1Q as re q U ired in accordance with the contractual arrangement 
which is separate from the computers Rl Rn. between the licenser and the licensee and new licenses can 

Query and permitting the authorized use of the licensed also be integrated, as required, for other protected programs, 

software takes place in different courses depending on the A new up d a ting will also be carried out upon delivery of a 

configuration of module 10. new version of the Ucence software> Unauthorized further 

FIG. 2 shows a flow diagram where the authorization use of old versions of the licence is thus no longer possible, 

component 8 consists only of module 10 and is provided B enteri the dates of the farming and end of the 

with all the information necessary for the authorization of a simultaneous check can be made mal the 

program usage. contractually agreed licensing period is kept and any unau- 

If a protected program LI, . . . ,Lm is started on one or lnoriz ed usage outside this period can be prevented. If the 

several computers Rl, ,Rn, a connection will be ^ prote cted programs originate with one licenser, the same 

established by the query component 2 of the program software will normally be used for licence management. If 

LI, . . . ,Lm to the management component 6, which in this protected software is provided by different licensers, differ- 

case includes software 12 loaded in one of the network ent liccnce managem cnt programs 12 may be necessary for 

computers Rl, ,Rn. This Software could also be the exchange of information with module 10. The licensee 

integrated into module 10 itself. This software 12 then 2$ will thcn rcccive lhc liccnce management program 12, 

attempts to establish a connection to the authorization com- corresponding to the protected software or to a new version, 

ponent 8 integrated into the computer network, in this wnicn is i oat ied or installed on a network computer or in the 

example module 10. If such a module is not available or authorization component 8. 

cannot be addressed because the corresponding information identification code, i.e. the host ID, the network 

is missing, the program 12 blocks further run of the pro- 3Q address or another unique code are always tied to the 

tected program LI, . ,Lm. If an appropriate module 10 is separate module 10 which is independent of any computer, 

found in the network, program 12 causes a query to the so thal authorization for use of protected software is only 

module 10 for the identification code, the licence informa- permitted if the licence management software 12 determines 

tion and the licensing code and determines whether usage of lhe identification code and the other licence information and 

the protected program LI, . . . ,Lm is authorized or not. The 35 the ii cens i ng code are correct, 

query can be carried out either sequentially or simulta- What is claimed is: 

neously and includes the following stages: L A system for securing protected software against unau- 

Is the identification code known? thorized use in a network of computers, comprising: 

Is the licence name available or known? a query component, a management component which 

Is it the right program version? 40 bidirectionally communicates with said query 

Is the date of query within the begin and end dates of the component, and 

license? an authorization component which bidirectionally corn- 
Has the number of licenses been exceeded? municates with said management component, said 
Only when all the questions have been answered with authorization component including a hardware module 
"Yes", the use of the protected software LI, . . . ,Lm will be 45 that has a unique identification code, is not integrated 
permitted on the corresponding network computer Rl, . . . in a computer, and is integrated into the network 
,Rn. If any one of the questions is answered with "No", no independent of any network computer, 
further use of the program will be allowed and the program 2. The system according to claim 1, wherein said unique 
will be cancelled or further access will be blocked. identification code is a unique password. 

The exchange of information between components 2, 6 50 3. The system according to claim 1, wherein said unique 

and 6, 8 is realized by means of a coded protocol. identification code is a host ID. 

In another embodiment of the invention, shown in the 4. The system according to claim 1, wherein said module 

flow diagram in FIG. 3, the authorization component 8 has a network address and said unique identification code is 

consists of the module 10 as well as a file 14 which is loaded said network address. 

or installed on one of the network computers Rl, . . . ,Rn or 55 5. The system according to claim 1, wherein said module 

is in some other way readable. Only the identification code contains a data file containing all information necessary for 

is stored in module 10, while the other licence-related authorization. 

information is contained in the file 14 in the network 6. The system according to claim 5, wherein said infor- 

computer Rl, . . . ,Rn, on which the licence management mation necessary for authorization includes said unique 

software 12 is also, preferably, installed or loaded, so that 60 identification code, a licensing code, and license informa- 

query of module 10 only checks the correspondence or lion. 

matching of the host ID or the network address, respectively, 7. The system according to claim 1, wherein said autho- 

with the license. The remaining information is read out from rization component further includes a file loaded on one of 

the file 14 and checked by the license management software the computers and readable by all of the computers. 

12. 65 8. The system according to claim 7, wherein said file 

Even here, however, further alternatives are possible. includes data representing a licensing code and licensing 

Software 12 could be a component of module 10, or the information. 
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9. The system according to claim 7, wherein said file 
includes only a licensing code. 

10. The system according to claim 7, wherein said file 
includes only licensing information. 

11. The system according to claim 1, wherein said man- 
agement component includes software. 

12. The system according to claim 11, wherein said 
software is installed or loaded on a computer in said network 
as required. 



8 



13. The system according to claim 11, wherein said 
software is integrated into said module. 

14. The system according to claim 1, wherein a coded 
protocol is used to exchange information. 

15. The system according to claim 1, wherein said module 
is a programmable electronic unit. 
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